Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

How do I edit my timechart search with timewrap to compare the latest 2 hours with the same 2 hours 3 days ago?

0

Hello,

Sorry if this has been answered before, however, I am struggling with a search that I am trying to build.

The ideal result that I am trying to achieve is the following:

I want a time chart to display the last two hours for a field like duration. In addition to showing the last two hours, I want it to show the same hours, but for the previous 3 days. Therefore, I want to compare the recent/latest two hours with those of the previous days.

I thought I could achieve this with the timewrap app, but I am struggling to write the search

People who like this

I am trying to do a timechart for multiple panels showing trendlines. So at the end of most of my panels i am just counting the count using stats count. I want to show the difference between this reading in the last 12 hours with the previous day or something that will show me that my calculations in parameters and so i know if the log files goes down etc. thanks

1 Answer

NOTE that I have a gap in MY events (it's just my test/home system) from 96 to 98 hours ago, so I had to use a somewhat different time frame then adjust it back - it MAY take a little tweaking to get just right but I think this is it:

The big difference is I use the hourly timeframe of -96 to -98 hours ago for my "4 days ago" - so I'm taking now - 4 days (snapped to the hour) as my latest, then going back 2 more hours so that I have the most "aligned" time frame, then appending to that data that from the last 2 hours (also snapped to the hour to make the match as good as possible).

Then I timechart it into 2h chunks, then timewrap it by hours (not days - days will separate these out onto two lines for reasons to lengthy even for me to get into here) to get your two fields. I tossed in, free of any extra charge, a freebie that finds the percentage difference between the two sums, so lucky you! Then I just rename some things.

BTW, no guarantees this will not be off by an hour during the 4 days the 4-day period involved spans a daylight savings time change. In fact, I know the "96 hours ago" will be off by one hour during those few days. Not sure how to fix that easily.

There are other methods available, but I think because of the small time frames so widely separated that this is better than most of the others.

Then just follow on with everything else. There are sure to be other minor adjustments, but that should get you started.

If that's not what you need, and you need this question still answered, please reply back with more information!

On the other hand, if this is resolved now and if this helped you significantly, please "Accept" the answer. If this is resolved but my answer didn't help a whole lot, it would be great if you could post your own answer then mark that one accepted!